Unlock luks key via ssh

Setup dropbear

Beware: Dropbear can't handle ed25519 keys at the moment (Debian 10, 2020-08).

apt install dropbear-initramfs
cp /home/varac/.ssh/authorized_keys /etc/dropbear/initramfs/
update-initramfs -u -k all

Unlock

Use the ssh_luks_unlock_HOSTNAME alias, aliased i.e. to:

gopass show --password hardware/server/dapple/luks-system-pw \
  | ssh -T dapple-initramfs cryptroot-unlock

Manual:

In busybox, to unlock root partition, and maybe others like swap, run:

cryptroot-unlock

Unlocking via WLAN

• wifi-on-debian-initramfs A bunch of files for enabling Wifi in Debian initramfs
• Enable Wireless networks in Debian Initramfs

cryptreboot

Convenient reboot for Linux systems with encrypted root partition.

Just type cryptreboot instead of reboot.

It asks for a passphrase and reboots the system afterward, automatically unlocking the drive on startup using in-memory initramfs patching and kexec. Without explicit consent, no secrets are stored on disk, even temporarily.

• Cryptreboot blog post
• GitHub
• Debian Request for package

Scripting unlocking

• https://cryptsetup-team.pages.debian.net/cryptsetup/README.Debian.html#remotely-unlock-encrypted-rootfs
• unlock-cryptroot is a wrapper script but you still need to enter the password manually
• Using cryptsetup on the server

tldr:

gopass show --password hardware/nucy/luks-pw | ssh -T nucy-initramfs cryptroot-unlock

Auto-unlock with Mandos

Mandos